Following the principle set in the first version, Tallinn Manual 2.0 – a document that provides guidance on how the existing international law could be adapted to cyber operations in the most appropriate way – reiterates that cyber activity should not be perceived as happening in a legal vacuum.

Estonia has become one of the forerunners and success stories of introducing digital identity, e-governance and an online voting system. The e-residency programme, which allows foreign citizens living outside of the physical national borders of Estonia to obtain a secure digital identity and benefit from some of the services available, has further increased the interest in Estonia’s digital developments, contributing to Estonia’s image as one of the world’s most digitally advanced countries.

This impressive degree of integration means e-dimension is no longer solely the playfield of the IT sector. As this new dimension is rapidly gaining ground, various topics need to be addressed, including (and perhaps most importantly) security.

In regards to international relations, the role of the state in providing the necessary safeguards for the digital dimension, as well as its responsibility for holding malign actors to account, emerges when the state needs to decide what is the most appropriate way to respond to such acts. The universal ecosystem around the new developments is still lacking and needs to be built to provide the necessary support and integration for smooth technology transfer.

“As there are very few cyber-specific norms in international law, the space for legal interpretation is broad, which in practice can result in states playing by different rules in cyberspace,” Liis Vihul, a senior analyst at the NATO Cooperative Cyber Defence Centre of Excellence in Tallinn and the managing editor of Tallinn Manual 2.0, says. The existing rules that also govern this new space need to be jointly interpreted to bring clarity in understanding what is acceptable state behaviour and what are the potential consequences if the rules are ignored.

154 general rules to be followed

The first edition of the Tallinn Manual was published in 2013 by Cambridge University Press under the auspices of the Tallinn-based NATO Cooperative Cyber Defence Centre of Excellence and mainly concentrated on the severe cyber-attacks which may occur during an armed conflict and might entitle states to respond in self-defence. The newly updated and extended version, Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations, was published in February 2017.

Following the principle set in the first version, Tallinn Manual 2.0 reiterates that international law applies also to cyber operations, and that cyber activity should not be perceived as happening in a legal vacuum.

The second edition builds on the previous version and further expands the spectrum of cyber operations, providing legal analysis also on those cyber incidents that are encountered by states on a day-to-day basis and that do not necessarily qualify as act of war. “The common perception is that it is nearly impossible to identify the perpetrator of a cyber operation, whereas in reality, it depends on the state’s intelligence capabilities and in the recent past, we’ve seen states attribute cyber operations to other states on a number of occasions,” Vihul explains.

The manual is providing guidance on how exactly the existing international law could be adapted to cyber operations in the most appropriate way. To be exact, international experts identified 154 general rules to be followed.

To ensure that the views of state representatives, as the primary beneficiaries of the book were taken into account, an unofficial consultation process was held in The Hague with more than 50 different states from all over the world. According to Vihul, engaging state representatives was particularly important, as states are the primary stakeholders when it comes to international law – the ones who make, implement and enforce it.

Building an international consensus

In cases where the international experts did not manage to reach a consensus, different opinions were included in the commentary to allow the reader to weigh the possible options. This is particularly relevant, as several cyber operations that states are tackling occur in a grey zone. The manual is a significant contribution to these debates, as it sheds light to the areas that need further attention and thus provides the necessary basis for more focused and informed debates among all the relevant stakeholders.

It is not a unique way of consensus building: the Tallinn Manual is an addition to the collection that already consists of the 1880 Oxford Manual – the Laws of War on Land, the 1994 San Remo Manual on International Law Applicable to Armed Conflicts at sea, and the Harvard Program on Humanitarian Policy and Conflict Research’s 2009 Manual on International Law Applicable to Air and Missile Warfare.

In light of this, the new Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations is a significant step forward in creating the regulatory framework for the new reality.

Even though it is not a legally binding document, it is a practical resource for legal advisers on issues that up to now have mostly been tackled on ad hoc and case-by-case basis. “Tallinn Manual 2.0 is an invaluable tool for governmental lawyers responsible for providing legal advice in mainly two situations – first, when their state has become a victim of hostile cyber operations and would like to know its response options, and second, when the state is planning to engage in cyber operations, but needs to ensure that it does so in compliance with international law,” Vihul emphasises.

Contributing to creating a common understanding and building consensus on how to approach different level cyber-attacks will not only help the states make prompt decisions on how to defend themselves, but will also deter those planning to use cyber operations as means to cause harm to another state and its citizens.